November 25, 2021

Lawful interception

NSOGroup-database.pngFor at least five years the stories have been coming about the Israeli company NSO Group. For most people, NSO is not a direct threat. For human rights activists, dissidents, lawyers, politicians, journalists, and others targeted by hostile authoritarian states, however, its elite hackers are dangerous. NSO itself says it supplies lawful interception, and only to governments to help catch terrorists.

Now, finally, someone is taking action. Not, as you might reasonably expect, a democratic government defending human rights, but Apple, which is suing the company on the basis that NSO's exploits cost it resources and technical support. Apple has also alerted targets in Thailand, El Salvador, and Uganda.

On Twitter, intelligence analyst Eric Garland picks over the complaint. Among his more scathing quotes: "Defendants are notorious hackers - amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse", "[its] practices threaten the rules-based international order", and "NSO's products...permit attacks, including from sovereign governments that pay hundreds of millions of dollars to target and attack a tiny fraction of users with information of particular interest to NSO's customers".

The hidden hero in this story is the Canadian research group calls NSO's work "despotism as a service".

Citizen Lab began highlighting NSO's "lawful intercept" software in 2016, when analysis it conducted with Lookout Security showed that a suspicious SMS message forwarded by UAE-based Ahmed Mansoor contained links belonging to NSO Group's infrastructure. The links would have led Mansoor to a chain of zero-day exploits that would have turned his iPhone 6 into a comprehensive, remotely operated spying device. As Citizen Lab wrote, "Some governments cannot resist the temptation to use such tools against political opponents, journalists, and human rights defenders." It went on to note the absence of human rights policies and due diligence at spyware companies; the economic incentives all align the wrong way. An Android version was found shortly afterwards.

Among the targets Citizen Lab found in 2017: Mexican scientists working on obesity and soda consumption and Amnesty International researchers, In 2018, Citizen Lab reported that Internet scans found 45 countries where Pegasus appeared to be in operation, at least ten of them working cross-border. In 2018, Citizen Lab found Pegasus on the phone of Canadian resident Omar Abdulaziz, a Saudi dissident linked to murdered journalist Jamal Khashoggi. In September 2021, Citizen Lab discovered NSO was using a zero-click, zero-day vulnerability in the image rendering library used in Apple's iMessage to take over targets' iOS, WatchOS, and MacOS devices. Apple patched 1.65 billion products.

Both Privacy International and the Pegasus project, an joint investigation into the company by media outlets including the Guardian and coordinated by Forbidden Stories, have found dozens more examples.

In July 2021, a leaked database of 50,000 phone numbers believed to belong to people of interest to NSO clients since 2016 included human rights activists, business executives, religious figures, academics, journalists, lawyers, and union and government officials around the world. It was not clear if their devices had been hacked. Shortly afterwards, Rappler reported that NSO spyware can successfully infect even the latest, most secure iPhones.

Citizen Lab began tracking litigation and formal complaints against spyware companies in 2018. In a complaint filed in 2019, WhatsApp and Facebook are arguing that NSO and Q Cyber used their servers to distribute malware; on November 8 the US ninth circuit court of appeals has rejected NSO's claim of sovereign immunity, opening the way to discovery.. Privacy International promptly urged the British government to send a clear message, given that NSO's target was a UK-based lawyer challenging the company over human rights violations in Mexico and Saudi Arabia.

Some further background is to be found at Lawfare, where shortly *before* the suit was announced, security expert Stephanie Pell and law professor David Kaye discuss how to regulate spyware. In 2019, Kaye wrote a report calling for a moratorium on the sale and transfer of spyware and noting that its makers "are not subject to any effective global or national control". Kaye proposes adding human rights-based export rules to the Wassenaar Arrangement export controls for conventional arms and dual-use technologies. Using Wassenaar, on November 3 the US Commerce Department recently blacklisted NSO along with fellow Israeli company Candiru, Russian company Positive Technologies, and Singapore-based Computer Security Initiative Consultancy as national security threats. And there are still more, such as the surveillance system sold to Egypt by France-based Thales subsidiary Dassault and Nexa Technologies.

The story proves the point many have made throughout 30 years of fighting for the right to use strong encryption: while governments and their law enforcement agencies insist they need access to keep us safe: there is no magic hole that only "good guys" can use, and any system created to give special access will always end up being abused. We can't rely on the technology companies to defend human rights; that's not in their business model. Governments need to accept and act on the reality that exceptional access for anyone makes everyone everywhere less safe.

Illustrations: Citizen Lab's 2021 map of the distribution of suspected NSO infections (via Democracy Now.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.

November 19, 2021

Digital god squabble

Fighting_cocks -shree650.jpgOn Wednesday, Amazon customers in the UK woke up to an (in some cases, weirdly empty) email whose news was in the subject: Amazon will cease accepting Visa credit cards (but not debit cards) for payment as of January 19, 2022.

If your first reaction is, "What's the punchline?" I'm with you. What the hell kind of crazy business decision is that?

As Hilary Osborne reports at the Guardian, the email went on to explain that the decision is "due to the high fees Visa charges for processing credit card transactions."

Huh? Like most people, I remained under the impression that it's American Express, not Visa, that charges the highest commissions to merchants. On Twitter, Drew Graham offers a more interesting explanation: taxes. It's a *Brexit* thing. The UK's departure from the EU means that Amazon's habit of accepting payments via its no-tax Luxembourg subsidiary, means that UK shoppers' remittances are now cross-border payments subject to interchange fees. Both Visa and Mastercard, raised these earlier this year - now that EU regulation capping such fees no longer applies. Amazon *could* move its financial arrangements to the UK - but then (the theory continues) it would be hit with taxes. What's one of the biggest, most highly market-capped companies in the world supposed to do when mean, old Visa and national governments want to be paid?

Why Visa but not Mastercard? As several others pointed out, Amazon promotes a branded Mastercard in the UK and also has a deal with American Express. And so, only Visa credit cards take the hit. I find it all supremely weird: Amazon, which has made its name by espousing customer service to the max, is now going to make it less convenient for its UK customers to shop there? Does Amazon think that anyone who pays it with a Visa card probably *also* has a Mastercard? Is it hoping that its customers will rise up in anger and demand that Visa cut it a deal? Or rise up in protest against government taxation that pays for our schools, hospitals, and government corruption? Is it hoping that Visa will be persuaded by the share price drop the announcement occasioned (the day of the announcement, Visa dropped 6.7%)? Or is, it as seems more likely, we don't matter *at all* and this is one of those no-you're-the-chicken contests in which two bullies pretend they won't budge, leaving their customers to wait it out, annoyed, until they finally settle because less of something is better than all of nothing?

This is not a good look for a company trying to argue it's not a monopoly, nor a good look for a company that makes its money through usury.

The question being asked here is perennial, and more commonly found in the broadcasting and telecommunications industries: who owns the audience? This is part of what network neutrality is about. Periodically, TV channels disappear from US cable TV packages because of fights over who should pay more or less to access the audience (and who brings that audience). So here: do you buy from Amazon because you can pay with your Visa card, or do you have a Visa card because it lets you buy from Amazon (and thousands of other retailers)?

In past cases, technology giants have often pressed their users into service - see for example, Uber vs Transport for London. In this case, though, many users have alternatives available, either other credit cards (Mastercard, American Express, and so on) or debit cards (don't; in the UK, you're better protected against online fraud with a credit card). We also still have other suppliers, though they take time to locate and effort to set up new accounts.

According to Business Insider, the UK is Amazon's third-largest market, and represents one-tenth the sales of the US. At the Washington Post, Bloomberg opinion writer Paul J. Davies says industry data suggests that Visa credit cards represent only 7% of all card-based purchases in the UK. Extrapolated to Amazon's $26.5 billion 2020 UK net sales, that's a mere snip of $1.8 billion in sales. It's a reasonable bet that most people will simply choose an alternative method of payment - and, as Davies points out, new technology is offering consumers more and more alternatives that are faster and cheaper than Mastercard's and Visa's legacy networks. Calling Amazon's move "passive-aggressive", Davies adds that although Britain is hogging the headlines, users in Australia and Singapore are facing a 0.5% surcharge for using Visa cards there.

The whole thing is so many kinds of wrong. For the last several years, Amazon has been accused of using its data access to squeeze the small merchants that use its Marketplace platform, while . Now, both Amazon and Visa are so big that each thinks it can squeeze the other. What do we do if either turns out to be right?

At Telecom, Scott Bicheno correctly calls hogwash on Visa's plaint that it hates to see restrictions on consumer choice. "What we have here is an e-commerce near monopolist locking horns with a payment processing near-monopolist....we can but watch impotently as the digital gods squabble in the heavens over our hard-earned cash."

Unless we start reining in some of these companies, this is our future: fewer and fewer bigger and bigger companies fighting over an increasingly helpless us.

Illustrations: Cocks fighting (via shree650 at Wikimedia.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.